What is a privacy notice?
A Privacy Notice is a statement by the Trust to staff that describes how we collect, use, retain and disclose personal and health information which we hold.
This Privacy Notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees, those carrying out work experience and external clients to which University Hospitals Sussex NHS Foundation Trust provides occupational health services.
Why issue a privacy notice?
This privacy notice is part of our commitment to ensure that we process your personal information/data fairly and lawfully. This notice also explains what rights you have to control how we use your information. It is part of ensuring compliance with the Data Protection Act 2018.
Collecting and processing your data
We collect and process your personal and health data in line with the Data Protection Act 2018.
Who is responsible for ensuring that my data is processed appropriately and kept safe?
University Hospitals Sussex NHS Foundation Trust (UHSussex) is the Data Controller for your personal and health information.
The Trust also has a Data Protection Officer, Andrew Harvey who assists the organisation by providing independent specialist advice on data protection obligations and impact assessments. See below for contact details.
Why does University Hospitals Sussex NHS Foundation Trust Occupational Health services collect information about me?
University Hospitals Sussex NHS Foundation Trust Occupational Health Services (UHSussex OHS) collect your data to help determine various matters in relation to your health and work to keep both you and people you may be working with safe. This includes:
• whether you have any health conditions that may make it difficult or unsafe for you to do a
• testing to ensure that the work environment isn’t harming your health (health surveillance)
• whether you need any adjustments to help you successfully remain at or return to work
• whether you need any vaccinations or blood tests in relation to your work
• whether you would qualify for Ill Health Retirement.
What information does UHSussex OHS collect about me?
- We collect health data which could be supplied by you or your employer or University. We may also contact your GP, Specialist or other Healthcare Professional for health information but we would only do this with your written agreement (consent). We may also receive information from laboratories after testing your blood but again we would not test your blood without your consent.
- Personal data includes your name; address; date of birth; email address; mobile no. etc. which we collect so as to be able to identify and contact you.
- We may use a variety of means, including questionnaires, forms, direct questioning, and requests from third parties. Information may be collected by telephone, face-to-face, paper or electronic means.
What is the legal basis for processing my data?
If you work for public authorities, including the NHS and schools, we would process your data under Article 6 (e) of the General Data Protection Regulations (GDPR):
- “Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.”
If you do not work for or undertake placements in public authorities we would process your data under Article 6 (f) of the GDPR:
- “Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.”
Additionally as much of the data we hold is health data, which is known as “special category data” we would process this data under Article 9(2) (h) of the GDPR:
- “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee…”
Who will receive my data?
• Your data would only be shared with those that need to know.
- If you are applying for a job, this could be your manager, Human Resources (HR) or the Trust’s recruitment services.
• If you are already working, this could be your manager or HR.
• Unless we are simply clearing you to start a job, ie. declaring you ‘fit’, we would ask your consent before providing your manager, recruitment, HR etc. with your health information and we would agree in advance with you what is to be shared.
• No confidential information held by UHSussex OHS will be disclosed without your explicit informed consent with the exception of:
o Where the disclosure is required by law (for example if ordered by a judge or a presiding officer of a court using a court order; to the HSE under the Health & Safety at Work etc. Act 1974; for statutory requirement to notify certain infectious diseases; to the NHS Counter Fraud Service to detect and prosecute Fraud);
o Where the disclosure is in the public interest (for example where a worker’s health endangers others and the worker refuses to disclose information which would allow potential harm to be avoided).
o Where disclosure of personal data is necessary for the above reasons, this will always be assessed on a case-by-case basis, using the minimum information necessary for the specific purpose and circumstances and with the appropriate security controls in place.
• Your data is not processed, transmitted or stored outside of the UK and is not made available to others outside of the department unless there is a legitimate reason or consent has been provided.
How long will my data be stored?
• Your data will be stored for six years after you leave your work or up to your 75th birthday if this is sooner before being destroyed.
• Records of health surveillance will be kept for 40 years from the date of the last health surveillance, with the exception radiation medicals which are kept for 50 years.
• If you supply information in relation to a new job and then do not start the job, your data will be stored for a maximum of one year.
Where will my data normally be stored?
• Paper occupational records will be stored in lockable filing cabinets in lockable offices which are secured at night and when UHSussex OHS is not staffed. Electronic data will be stored on Trust computers which have appropriate security measures in place to prevent unauthorised access. OH administration staff processing your data are bound by confidentiality statements and clinical staff follow their professional code of conduct, not to disclose your data inappropriately.
• On leaving your post the data held by UHSussex OHS will be archived. Our archiving services are bound by strict rules to ensure that the data is held securely and that confidentiality is maintained.
Can I withdraw my consent?
We do not process your data under the legal basis of “consent” but we would seek your consent to disclose information to your employer. You are able to withdraw your consent to the sharing of this information at any time before it is shared, unless there is a danger to your health or the health of others from not sharing this information as above.
How can I obtain a copy of my data?
In most instances you can be provided with a copy of your Occupational Health Records if you contact UHSussex OHS as below. You will not normally be charged for this service unless you request multiple copies.
What if I think my data is inaccurate or incomplete?
In most cases we will be able to quickly change inaccurate data or add to incomplete data if requested by contacting UHSussex OHS as below.
What if I think my data is no longer relevant?
We may be able to erase data if requested by you if your data is no longer required. It is, however, unlikely that we would be able to erase your data where it is processed under Article 6 (e) of the GDPR: “Public task” for example health surveillance records or where we have obtained the data to ensure that you or the people you will be working with remain safe. Please contact UHSussex OHS as below if you would like to discuss this further.
What if I don’t want my information processed?
You do have the right to object to the processing of your data, giving your reasons as to why you object. In these cases we would need to weigh up your rights with the legal grounds for continuing to process the data. If you do not provide the data requested or do not allow it to be processed we may not be able to provide health clearance for you to start a job or we may not be able to advise your employer whether you are fit to continue working or whether you need any adjustments to your job. Your employer may then have to make a decision without this information. Please contact UHSussex OHS as below if you would like to discuss this further.
What if I have further questions on the uses of my information?
Please contact UHSussex OHS or UHSussex Data Protection Officer Andrew Harvey as below.
What if I am unhappy about how my data is processed or have further questions on the uses of my information?
You have the right to complain if you are not satisfied with the way in which your data is processed. We recommend that you initially contact UHSussex OHS as below. If this does not resolve your issue you could also contact our Data Protection Officer Andrew Harvey or The Information Commissioner’s Office (ICO) as below.
UHSussex Occupational Health Services
Occupational Health Services, University Hospitals Sussex NHS Foundation Trust,
The Art Block, St Mary’s Site, Eastern Road, BRIGHTON BN2 5BE
Tel: 01273 696955 ext. 62983
UHSussex Data Protection Officer – Andrew Harvey
Information Commissioner’s Office (ICO)
Helpline 0303 123 1113